Method for verifying the validity of a user

ABSTRACT

The invention disclose a method for verifying the validity of a user, making full use of a B-TID as the bridge for establishing confidence between a NAF and a user equipment, and the BSF assigning a term of validity for the B-TID, thereby extending the function of the B-TID, enabling the NAF to verify the term of validity for using the B-TID, and accordingly, achieving a further verification of the validity to the user. By using the method of the invention, it is possible to avoid the situation in which one B-TID is permanently valid for one or more NAFs, enhance the system security, decrease the risks caused by the theft of users&#39; B-TID and corresponding secret keys, and at the same time, implement B-TID management by the NAF. In addition, a combination of the method with billing system makes it easy to implement the function of charging a user.

FIELD OF THE INVENTION

The present invention relates to the third generation (3G) wirelesscommunication technology, and more specifically to a method forverifying the validity of a user.

BACKGROUND OF THE INVENTION

In the 3G wireless communication standards, the generic authenticationarchitecture describes a generic architecture adopted by a number ofNetwork Application Functions (NAFs) for verifying the validity ofusers. By means of generic authentication architecture, it is possibleto implement the authentication and verification of a user requesting aservice. The above various application functions may includemulticast/broadcast service, subscribers certificates service, andinstant message supply service, as well as proxy service, e.g. multipleservices functions entities may be connected with a proxy entity. Thegeneric authentication architecture handles the proxy as a kind ofservice where the construction may be very flexible. Moreover, thegeneric authentication architecture may be adopted for theauthentication and verification of users requesting newly developedservices.

FIG. 1 is a schematic structure diagram of the generic authenticationarchitecture. Typically, the generic authentication architectureincludes a User Equipment (UE) 101, a Bootstrapping Server Function(BSF) 102, a Home Subscriber System (HSS) 103 and an NAF 104. The BSF102 is used for mutual authentication with the UE 101, andsimultaneously generating a secret key shared with the UE 101. A Profiledocument used for describing the subscriber information is stored in theHSS 103 which will generate authentication information.

When a UE requests a service, if the UE knows that the service requiresa mutual authentication procedure in the BSF, the UE will perform amutual authentication in the BSF directly; otherwise, the UE will firstcontact the NAF corresponding to the service. If the NAF applying thegeneric authentication architecture requires the UE to perform abootstrapping authentication in the BSF, the NAF will instruct the UE toperform a bootstrapping authentication by means of the genericauthentication architecture; otherwise, the NAF executes otherappropriate processing.

FIG. 2 is a flowchart for authentication by the generic authenticationarchitecture in the prior art.

Step 201: A UE sends to an NAF an application request message.

Step 202: Upon receiving the message, the NAF finds that the UE has notperformed a mutual authentication in a BSF, and then instructs the UE toperform a bootstrapping authentication in the BSF.

Step 203: The UE sends to the BSF a bootstrapping request message.

Step 204: Upon receiving the bootstrapping request message from the UE,the BSF conducts inquiry of the necessary authentication information ofthe UE and the profile document thereof to the HSS, and receives aresponse from the HSS.

Step 205: Upon receiving the response message from the HSS containingthe information inquired, the BSF performs an Authentication and KeyAgreement (AKA) protocol based mutual authentication with the UE usingthe information inquired. When completing the AKA protocol based mutualauthentication with the UE, i.e. passing the mutual authentication, theBSF generates a secret key shared with the UE (Ks).

Step 206: The BSF assigns the UE a Bootstrapping Transaction Identifier(B-TID) including only the identity and valid for one or more than oneNAFs. The B-TID is associated with the Ks.

Step 207: Upon receiving the B-TID assigned by the BSF, the UE resendsto the NAF an application request message which contains the informationof the B-TID.

Step 208: Upon receiving the application request message containing theinformation of the B-TID sent from the UE, the NAF will first conductlocal inquiry, if the NAF finds the information of the B-TID locally,proceed directly to Step 210; otherwise, send to the BSF a B-TIDinquiring message containing local identity of the NAF, and then proceedto Step 209.

Step 209: Upon receiving the B-TID inquiring message from the NAF, theBSF will, if finding the B-TID inquired by the NAF, send to the NAF aresponse message of success. The NAF stores the contents of the responsemessage and proceeds to Step 210; otherwise, the BSF will send to theNAF a response message of failure, notifying the NAF that there is noinformation of the UE. The NAF will instruct the UE to perform abootstrapping authentication in the BSF, and end the procedure.

The response message of success includes the B-TID found, the Kscorresponding to the B-TID or a derived secret key generated from the Ksaccording to the security level of the NAF. As long as receiving aresponse message of success from the BSF, the NAF will believe that theUE is a legitimate UE passing authentication by the BSF and share the Ksor the derived secret key with the UE.

Step 210: The NAF makes normal communications with the UE, i.e. datatransmission, and protects further communications using the Ks or thederived secret key.

After the first communication process between the UE and the NAF isover, the authenticated B-TID is used for further communications betweenthe UE and the NAF. Since the B-TID may be used repeatedly and any NAFmay inquire the corresponding B-TID from the BSF if it can not find theB-TID locally, as long as obtaining a legitimate B-TID, the UE may makecommunications with the NAF using the B-TID for an indefinite period.

SUMMARY OF THE INVENTION

The present invention provides a method for verifying the validity of auser by means of checking whether a B-TID of a user is valid.

The solution in accordance with the present invention is implemented asfollows:

According to an aspect of the present invention, when an NAF receives anapplication request message containing B-TID information, it determineswhether the B-TID information exists locally, if exists, determineswhether the B-TID expires. If the B-TID expires, the NAF will makenormal communications with the UE; otherwise, the NAF will instruct theUE to perform a bootstrapping authentication in a BSF again;

If there is no B-TID information in the NAF, the NAF will send to theBSF a B-TID inquiring message containing the identity of the NAF. If theBSF finds the B-TID inquired by the NAF, it will return to the NAF aresponse message of success containing the B-TID found and the term ofvalidity for the B-TID, the NAF first stores the contents in theresponse message from the BSF and then makes normal communications withthe UE. If the BSF fails to find the B-TID required by the NAF, it willreturn to the NAF a response message of failure, and the NAF willinstruct the UE to perform a bootstrapping authentication in the BSF.

According to another aspect of the present invention, when an NAFreceive an application request message containing a bootstrappingtransaction identifier (B-TID), it determines whether the B-TIDinformation exists locally, if exists, determines whether the B-TIDexpires. If the B-TID expires, the NAF will make normal communicationswith the UE; otherwise, the NAF will instruct the UE to perform abootstrapping authentication in a BSF again.

It can be seen from the above-mentioned scheme that, the presentinvention takes full advantage of the B-TID being a bridge ofestablishing confidence relationship between the NAF and the UE, througha BSF assigning a term of validity for a B-TID, extends the functions ofthe B-TID and enables an NAF to verify the term of validity of the B-TIDused by the UE, thereby implements a further verification of thevalidity to the UE. By the method of the present invention, it ispossible to avoid the situation where a B-TID is permanently valid foran NAF, improve the system security, lower the possibility of a UE'sB-TID and the corresponding secret key thereof being stolen, andimplement the management of B-TIDs by an NAF. In addition, a combinationof the method with the billing system will make it easy to implement thecharging of a user.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic structure diagram illustrating the genericauthentication architecture.

FIG. 2 is a flowchart of a UE authentication using the genericauthentication architecture in the prior art.

FIG. 3 is a flowchart of verifying the validity of a UE in accordancewith an embodiment of the present invention.

FIG. 4 is a flowchart of verifying the validity of a UE in accordancewith another embodiment of the present invention.

FIG. 5 is a flowchart of verifying the validity of a UE in accordancewith yet another embodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

In order to make the technical solution of the present inventionclearer, a further and detailed description of the present invention ishereinafter given with reference to the accompanying drawings andspecific embodiments.

According to an aspect of the present invention, when an NAF receives anapplication request message containing the information of a B-TID, itdetermines whether the information of the B-TID exists locally, ifexists, determines whether the UE is legitimate by determining whether apreset term of validity for the B-TID used by the UE is overrun. If theUE is legitimate, the NAF will make normal communications with the UE;otherwise, the NAF will instruct the UE to perform a bootstrappingauthentication in a BSF again;

If there is no information of the B-TID in the NAF, the NAF will send tothe BSF a B-TID inquiring message containing the identity of the NAF. Ifthe BSF finds the B-TID inquired by the NAF, it will return to the NAF aresponse message of success containing the B-TID found and the term ofvalidity for the B-TID, the NAF first stores the contents in theresponse message from the BSF and then makes normal communications withthe UE. If the BSF fails to find the B-TID required by the NAF, it willreturn to the NAF a response message of failure, and the NAF willinstruct the UE to perform a bootstrapping authentication in the BSF.

The invention is hereinafter described in detail by several specificembodiments.

First Embodiment

A BSF assigns a UE a B-TID which is valid for one or more NAFs while notenciphering the B-TID.

FIG. 3 is a flowchart for verifying the validity of a UE in accordancewith the first embodiment of the present invention.

Step 301: A UE sends an application request message to an NAF.

Step 302: Upon receiving the message, the NAF finds that the UE has notperformed a mutual authentication with a BSF, and then instructs the UEto perform a bootstrapping authentication in the BSF.

Step 303: The UE sends to the BSF a bootstrapping request message.

Step 304: Upon receiving the bootstrapping request message from the UE,the BSF conducts inquiry of the authentication information and profileof the UE to an HSS, and receives a response message from the HSS.

Step 305: Upon receiving the response message containing the informationfound sent from the HSS, the BSF performs an AKA protocol based mutualauthentication with the UE using the information found. When completingthe AKA protocol based mutual authentication with the UE, i.e. passingthe mutual authentication, the BSF generates a secret key shared withthe UE (Ks).

Step 306: the BSF assigns the UE a B-TID containing only an identity andvalid for one or more NAFs at the same time.

Step 307: Upon receiving the B-TID assigned by the BSF, the UE resendsto the NAF an application request message containing the information ofthe B-TID.

Step 308: Upon receiving the application request message containing theinformation of the B-TID sent from the UE, the NAF determines whetherthe information of the B-TID exists locally, if exists, the NAFdetermines whether the valid lifetime or the valid times of use for theB-TID is overrun, if overrun, proceeds to Step 309; otherwise, proceedsto Step 310.

If there is no information of the B-TID in the NAF, the NAF will send tothe BSF a B-TID inquiring message containing the identity of the NAF, ifthe BSF finds the B-TID, the BSF will first generate a derived secretkey valid for the inquiring NAF based on the user identity, the NAFidentity and the root secret key corresponding to the B-TID, and thenassign, according to the security level of the inquiring NAF and theprofile information of the UE, a term of validity for the derived secretkey generated for the inquired B-TID, where the term of validity is avalid lifetime and/or valid times of use and is valid only for theinquiring NAF. The BSF, thereafter, sends a response message of successto the NAF, and the NAF stores the contents of the response message ofsuccess and proceeds to Step 310. If the BSF fails to find the B-TID,the BSF will send to the NAF a response message of failure and proceedto Step 309.

The above mentioned response message of success includes the B-TIDinquired by the NAF, the derived secret key corresponding to the B-TIDand generated for the inquiring NAF as well as the term of validity ofthe derived secret key. The derived secret key for the inquiring NAF hasbeen generated when the UE sends the application request to the NAFusing the B-TID assigned by the BSF. When the NAF receives the responsemessage of success from the BSF, the NAF starts to share the derivedsecret key generated for the inquiring NAF with the UE.

Step 309: the NAF instructs the UE to perform a bootstrappingauthentication in the BSF, and ends this procedure.

Step 310: the NAF makes normal communications with the UE, i.e. datatransmission, and protects further communications using the secret keyderived from the Ks.

Though the B-TID used by a UE is valid for one or more NAFs at the sametime, the derived secret keys for different NAFs as well as the terms ofvalidity thereof assigned by the BSF are different, i.e. the same B-TID,when used for different NAFs, corresponds to different derived secretkeys and different terms of validity thereof. In terms of one NAF,however, the B-TID of the UE and the corresponding derived secret keythereof is unique.

When the B-TID used by the UE and the corresponding secret key for acertain NAF expires, the UE will perform a bootstrapping authenticationin the BSF again. After the authentication succeeds, the BSF will assignthe UE a new B-TID and generate a new shared secret key (Ks′)corresponding to the new B-TID. Upon receiving the new B-TID, the UEwill send a new application request message using the new B-TID whilethe new request message also contains the information of the old B-TID.Thus the NAF using the old B-TID and the derived secret key thereof willnot be affected, and a new B-TID will not be used unless the UE sends anapplication request again or the NAF requires that the UE update theB-TID, thereby avoiding the impact by the NAF requesting to update theB-TID on other NAFs currently using the B-TID.

When an NAF receives a new B-TID, the NAF will always conduct inquiry ofthe B-TID in the BSF, if the inquiry succeeds, the BSF will return tothe NAF a response message of success which also includes the B-TIDinquired by the NAF, the secret key derived for the B-TID based on suchparameters as the identity of the inquiring NAF and the root secret key,and the term of validity corresponding to the derived secret key. Uponreceiving the response message of success from the BSF, the NAF willstore the new B-TID in the response message of success, the derivedsecret key corresponding to the B-TID and the term of validity thereof.At the same time, the NAF will disable or delete the old B-TID stored init and the secret key corresponding to the old B-TID.

Since the old B-TID used by a UE corresponds to multiple NAFs at thesame time, when the B-TID expires for a certain NAF, it is quitepossible that the B-TID is still valid for other NAFs. Since each NAFreceiving a new B-TID will conduct inquiry in the BSF, for the sake ofsystem security, each NAF receiving a new B-TID will replace the oldB-TID and the related information thereof with the new B-TID of the UEand the related information thereof. In this way, not only B-TIDmanagement becomes less complex, but the security of B-TID and thecorresponding secret keys is enhanced.

In Step 306 of this embodiment, the BSF may assign the UE a B-TID onlyvalid for a certain NAF and including only an identity. Accordingly, inStep 308, upon receiving an application request message containing theinformation of the B-TID from the UE, the NAF first determines whetherthe B-TID is valid for the NAF, if invalid, the NAF will prompt the UEwith an error message, if valid, continues with the subsequent steps.The rest steps of the procedure are the same as those shown in FIG. 3and no further description is hereby given.

The method for assigning a UE a B-TID only valid for a certain NAF andthe method for determining whether the B-TID is valid for the NAF havebeen described in detail in the patent application submitted by thisinventor and titled as “method for assigning bootstrapping transactionidentities” with the application number “200310113233.4”, and no furtherdescription is hereby given.

In this embodiment, the term of validity of the secret key correspondingto a B-TID is actually the term of validity of the B-TID, for the B-TIDis associated with the secret key corresponding to the B-TID. If asecret key corresponding to a B-TID expires, it means that the term ofvalidity of the B-TID for an NAF expires.

Second Embodiment

A BSF assigns a UE a B-TID valid for only a certain NAF, and the B-TIDis enciphered.

FIG. 4 is a flowchart for verifying the validity of a UE in accordancewith the second embodiment of the present invention.

Step 401: A UE sends an application request message to an NAF.

Step 402: Upon receiving the message, the NAF finds that the UE has notperformed a mutual authentication with the BSF, thus instructs the UE toperform a bootstrapping authentication in the BSF.

Step 403: The UE sends to the BSF a bootstrapping request message.

Step 404: Upon receiving the bootstrapping request message from the UE,the BSF conducts inquiry of the authentication information and profileof the UE to an HSS, and receives a response message from the HSS.

Step 405: Upon receiving the response message containing the informationfound sent from the HSS, the BSF performs an AKA protocol based mutualauthentication with the UE using the information found. When completingthe AKA based mutual authentication with the UE, i.e. passing the mutualauthentication, the BSF generates a secret key with the UE (Ks).

Step 406: the BSF assigns the UE an identity valid only for a certainNAF, and then, based on the identity or name of the NAF and the profileinformation of the UE, assigns a term of validity for the identity ofthe UE, where the term of validity is a valid lifetime and/or validtimes of use. The BSF then enciphers the identity valid for the NAF andthe term of validity of the identity using the preset secret key sharedbetween the BSF and the NAF (Knb), takes the enciphered information as aB-TID and sends the B-TID to the UE. Since the UE does not have Knb theUE is unable to modify the term of validity of the B-TID.

Step 407: Upon receiving the B-TID assigned by the BSF, the UE sends tothe NAF an application request message containing the enciphered B-TID.

Step 408: Upon receiving the application request message containing theinformation of the B-TID sent from the UE, the NAF first determineswhether the information of the B-TID exists locally, if exists, the NAFdeciphers the B-TID using Knb and determines whether the valid lifetimeor valid times of use is overrun, if overrun, proceeds to Step 409;otherwise, proceeds to Step 410.

If there is no information of the B-TID in the NAF, the NAF will firstdecipher the B-TID using Knb and then determine whether the B-TID isvalid for the NAF, where the specific method for performing thedetermination has been described in detail in the patent applicationsubmitted by this inventor and titled as “method for assigningbootstrapping transaction identities” with the application number“200310114069.9”. If the B-TID is valid for the NAF, the NAF will sendto the BSF a B-TID inquiring message containing the identity of the NAF;otherwise, the NAF will prompt the UE with an error message.

If the BSF finds the information of the B-TID, it will send to the NAF aresponse message of success containing the B-TID inquired by the NAF andKs, the secret key shared between the UE and the BSF and correspondingto the B-TID or a derived secret key generated from Ks, i.e. the derivedsecret key generated for the inquiring NAF. Upon receiving the responsemessage of success from the BSF, the NAF starts to share with the UE thederived secret key generated for the inquiring NAF. The derived secretkey corresponding to the inquiring NAF has been generated by the UE whenthe UE sent the application request to the NAF using the B-TID assignedby the BSF. After the NAF stores the contents in the response message ofsuccess from the BSF, proceeds to Step 410. If the BSF fails to find theinformation, it will send a response message of failure to the NAF andproceeds to Step 409.

Step 409: the NAF instructs the UE to perform a bootstrappingauthentication in the BSF, and ends the procedure.

Step 410: the NAF makes normal communications with the UE, i.e. datatransmission, and protects the further communications using the Ks orthe derived secret key from Ks.

When the B-TID used by the UE has expired for a certain NAF, the UE willperform mutual authentication in the BSF again. After the authenticationsucceeds, the BSF will assign the UE a new B-TID and generate a newshared secret key, Ks′, corresponding to the new B-TID, where the newB-TID is also enciphered. When the UE sends an application request tothe NAF again, the request message contains the information of both thenew B-TID and the old B-TID.

When an NAF receives a new B-TID, the NAF will always conduct inquiry ofthe B-TID in the BSF. If the inquiry succeeds, the BSF will return tothe NAF a response message of success which also contains the B-TIDinquired by the NAF, and Ks′ or the derived secret key generated fromKs′. Upon receiving the response message of success from the BSF, theNAF starts to share Ks′ or the derived secret key from Ks′ with the UE.The NAF will store the new B-TID and the Ks′, and disable or delete thelocally-stored old B-TID and the Ks.

Third Embodiment

The BSF assigns a UE a B-TID valid only for a certain NAF, and does notencipher the B-TID.

FIG. 5 is a flowchart for verifying the validity of a UE in accordancewith the third embodiment of the present invention.

Step 501: A UE sends an application request message to an NAF.

Step 502: Upon receiving the message, the NAF finds that the UE has notperformed a mutual authentication with the BSF, thus instructs the UE toperform a bootstrapping authentication in the BSF.

Step 503: The UE sends to the BSF a bootstrapping request message.

Step 504: Upon receiving the bootstrapping request message from the UE,the BSF conducts inquiry of the authentication information and profileof the UE to an HSS, and receives a response message from the HSS.

Step 505: Upon receiving the response message containing the informationfound sent from HSS, the BSF performs an AKA protocol based mutualauthentication with the UE using the information found. When completingthe AKA based mutual authentication with the UE, i.e. passing the mutualauthentication, the BSF generates a secret key shared with the UE (Ks).

Step 506: the BSF assigns the UE an identity valid only for a certainNAF, and takes the identity as a B-TID. Then, based on the identity orname of the NAF and the profile information of the UE, the BSF assignsand stores a term of validity for the B-TID of the UE, where the term ofvalidity is a valid lifetime and/or valid times of use, and sends theassigned B-TID to the UE.

Step 507: Upon receiving the B-TID assigned by the BSF, the UE sends tothe NAF an application request message containing the information of theB-TID again.

Step 508: Upon receiving the application request message containing theinformation of the B-TID sent from the UE, the NAF first determineswhether the B-TID is valid for the NAF, if invalid, the NAF will promptthe UE with an error message; if valid, the NAF will further determinewhether the information of the B-TID exists locally. If the informationof the B-TID exists, the NAF determines whether the valid lifetime orvalid times of use is overrun, if overrun, proceeds to Step 509;otherwise, proceeds to Step 510.

If there is no information of the B-TID in the NAF, the NAF will send tothe BSF a B-TID inquiring message containing the identity of the localNAF. If the BSF finds the B-TID, it will send to the NAF a responsemessage of success containing the B-TID inquired by the NAF, the term ofvalidity corresponding to the B-TID, and Ks, the secret key for theB-TID shared between the UE and the BSF or the derived secret keygenerated from Ks, i.e. the derived secret key generated for theinquiring NAF. Upon receiving the response message of success from theBSF, the NAF starts to share with the UE the derived secret keygenerated according to the inquiring NAF, which has been generated bythe UE when the UE sent the application request to the NAF using theB-TID assigned by the BSF. After the NAF stores the contents in theresponse message of success from the BSF, proceeds to Step 510. If theBSF fails to find the information, it will send a response message offailure to the NAF, informs the NAF that there is no information of theUE, and proceeds to Step 509.

Step 509: the NAF instructs the UE to perform a bootstrappingauthentication in the BSF, and ends this procedure.

Step 510: the NAF makes normal communications with the UE, i.e. datatransmission, and protects further communications using the Ks or thederived secret key from Ks.

When the B-TID used by a UE has expired for a certain NAF, the UE willperform a bootstrapping authentication in the BSF again. After theauthentication succeeds, the BSF will assign the UE a new B-TID andgenerate a new shared secret key, Ks′, corresponding to the new B-TID.When the UE sends an application request again to the NAF, the requestmessage will contain the information of both the new B-TID and the oldB-TID.

When an NAF receives a new B-TID, the NAF will conduct inquiry of thenew B-TID in the BSF. If the inquiry succeeds, the BSF will return tothe NAF a response message of success which also contains the B-TIDinquired by the NAF, the term of validity corresponding to the B-TID,and Ks′ or the derived secret key generated from Ks′. Upon receiving theresponse message of success from the BSF, the NAF starts to share Ks′ orthe derived secret key from Ks′ with the UE. The NAF will store the newB-TID and the secret key associated with the B-TID, and disable ordelete the locally-stored old B-TID and the secret key associated withthe old B-TID.

In the third embodiment, when assigning a B-TID for a UE, the BSF maynot assign the term of validity corresponding to the B-TID at first.Instead, the BSF may assign a term of validity corresponding to theB-TID according to the identity of the NAF and the profile informationof the UE when the NAF conducts inquiry of the B-TID in the BSF.

The term of validity of the B-TID may be used in billing. If the billingis based on time, a B-TID may be taken as a time unit, and charging forone day's use may be made whenever a new B-TID is assigned. If thebilling is based on times of use, a B-TID may be charged according tothe times of use it is assigned. The billing operation may beimplemented when a BSF assigns a B-TID, or implemented when an NAF usesa B-TID.

The foregoing is only preferred embodiments of the present invention andis not inclined to limit the present invention. Any modification,equivalent substitution, or improvement made without departing from thespirit and principle of the present invention should be covered by thescope set forth in the appended claims.

1. A method for verifying the validity of a user, applied to the thirdgeneration radio communications in which a network application function(NAF) verifying the validity of a user by means of a genericauthentication architecture, the method comprising: upon receiving anapplication request message containing a bootstrapping transactionidentifier (B-TID) from a user equipment (UE), the NAF checking whetherthere is the B-TID information in the NAF; if finding the B-TIDinformation, the NAF determining whether the B-TID expires based on apreset term of validity for the B-TID, if the B-TID expires, the NAFmaking normal communications with the UE; otherwise, the NAF instructingthe UE to return to a bootstrapping server function (BSF) to perform abootstrapping authentication; if not finding the B-TID information, theNAF sending to the BSF a B-TID inquiring message containing an identityof the NAF, if the BSF finding the B-TID inquired by the NAF, the BSFreturning to the NAF a response message of success containing theinformation of the B-TID and the term of validity of the B-TID, and theNAF storing said the information of B-TID and the term of validity ofthe B-TID in the response message and making normal communications withthe UE; if the BSF failing to find the B-TID inquired by the NAF, theBSF returning to the NAF a response message of failure, and the NAFinstructing the UE to perform a bootstrapping authentication in the BSF.2. The method according to claim 1, further comprising before the NAFchecking whether there is the B-TID information: a secret key shared bythe UE and the BSF, Ks, being generated after passing a mutualauthentication between the UE and the BSF; the BSF assigning the UE aB-TID including only a B-TID identity, which is valid for one or moreNAFs at the same time and associated with the secret key; upon receivingthe B-TID assigned by the BSF, the UE sending to the NAF the serviceapplication request message containing the B-TID, and the NAF checkingwhether there is the B-TID information in the NAF; further comprisingafter the BSF finding the B-TID inquired by the NAF: based on the B-TIDfound, the secret key associated with the B-TID and the identity of theinquiring NAF, the BSF generating a derived secret key associated withthe B-TID and valid for the inquiring NAF, assigning a term of validityfor the derived secret key, and sending a response message of success tothe NAF; wherein the response message of success further comprises thederived secret key, and the term of validity of the B-TID in theresponse message of success returned by the BSF is the term of validityof the derived secret key.
 3. The method according to claim 1, furthercomprising before the NAF checking whether there is the B-TIDinformation: a secret key shared between the UE and the BSF, Ks, beinggenerated during a mutual authentication between the UE and the BSF; theBSF assigning the UE a B-TID including only one B-TID identity, which isvalid only for the NAF and associated with the secret key, and sendingthe assigned B-TID to the UE; upon receiving an application requestmessage containing the B-TID from the UE, the NAF determining whetherthe B-TID is valid for the NAF, if valid, the NAF checking whether thereis the B-TID information in the NAF; otherwise, the NAF prompting the UEwith an error message; further comprising after the BSF finding theB-TID inquired by the NAF: based on the information of the B-TID found,the secret key associated with the B-TID and an identity of theinquiring NAF, the BSF generating a derived secret key associated withthe B-TID and valid for the inquiring NAF, assigning a term of validityfor the derived secret key, and sending a response message of success tothe NAF; wherein the response message of success further comprises thederived secret key valid for the inquiring NAF, and the term of validityof the B-TID in the response message of success returned by the BSF isthe term of validity of the derived secret key.
 4. The method accordingto claim 1, further comprising before the NAF checking whether there isthe B-TID information: setting a secret key shared between the BSF andthe NAF, Knb; a secret key shared between the UE and the BSF, Ks, beinggenerated during a mutual authentication between the UE and the BSF; theBSF assigning the UE an identity valid only for the NAF as well as theterm of validity for using the identity, enciphering the assignedidentity and the term of validity thereof using the Knb, taking theenciphered identity as a B-TID associated with the secret key, andsending the B-TID to the UE; upon receiving the B-TID assigned by theBSF, the UE sending to the NAF an application request message containingthe B-TID, and the NAF checking whether there is the B-TID informationin the NAF; further comprising before the NAF determining whether theB-TID expires: the NAF deciphering the received B-TID using the Knb;further comprising before the NAF sending to the BSF the B-TID inquiringmessage: the NAF deciphering the received B-TID using the Knb, anddetermining whether the B-TID is valid for the NAF, if valid, the NAFsending to the BSF the B-TID inquiring message; otherwise, prompting theUE with an error message; wherein the response message of successreturned by the BSF further comprises the secret key associated with theB-TID inquired by the NAF.
 5. The method according to claim 1, furthercomprising before the NAF checking whether there is the B-TIDinformation: a secret key shared between the UE and the BSF, Ks, beinggenerated from a mutual authentication between the UE and the BSF; theBSF assigning the UE a B-TID including only the identity valid for theNAF and assigning a term of validity for the B-TID, wherein the B-TID isassociated with the secret key, storing the assigned B-TID and the termof validity thereof, and sending the assigned B-TID to the UE; uponreceiving an application request message containing the B-TID from theUE, the NAF determining whether the B-TID is valid for the NAF, ifvalid, the NAF checking whether there is the B-TID information in theNAF; otherwise, prompting the UE with an error message; wherein theresponse message of success returned by the BSF further comprises thesecret key associated with the B-TID inquired by the NAF.
 6. The methodaccording to claim 1, further comprising: after succeeding in performinga bootstrapping authentication in the BSF, the UE receiving a new B-TIDassigned by the BSF, and generating a secret key, Ks′, associated withthe new B-TID; upon receiving an application request message containingthe new B-TID and the old B-TID from the UE, the NAF conducting inquiryin the BSF; upon receiving a response message of success from the BSF,the NAF storing the new B-TID of the UE and the secret key associatedwith the new B-TID, and deleting or disabling the old B-TID previouslystored in the NAF and the secret key associated with the old B-TID. 7.The method according to claim 6, wherein said secret key associated withthe B-TID is a derived secret key which is derived, in connection withthe inquiring NAF, from a root secret key associated with the B-TID. 8.The method according to claim 2, further comprising: after succeeding inperforming a bootstrapping authentication in the BSF, the UE receiving anew B-TID assigned by the BSF, and generating a secret key, Ks′,associated with the new B-TID; upon receiving an application requestmessage containing the new B-TID and the old B-TID from the UE, the NAFconducting inquiry in the BSF; upon receiving a response message ofsuccess from the BSF, the NAF storing the new B-TID of the UE and thesecret key associated with the new B-TID, and deleting or disabling theold B-TID previously stored in the NAF and the secret key associatedwith the old B-TID.
 9. The method according to claim 8, wherein saidsecret key associated with the B-TID is a derived secret key which isgenerated, corresponding to the inquiring NAF, from a root secret keyassociated with the B-TID.
 10. The method according to claim 3, furthercomprising: after succeeding in performing a bootstrappingauthentication in the BSF, the UE receiving a new B-TID assigned by theBSF, and generating a secret key, Ks′, associated with the new B-TID;upon receiving an application request message containing the new B-TIDand the old B-TID from the UE, the NAF conducting inquiry in the BSF;upon receiving a response message of success from the BSF, the NAFstoring the new B-TID of the UE and the secret key associated with thenew B-TID, and deleting or disabling the old B-TID previously stored inthe NAF and the secret key associated with the old B-TID.
 11. The methodaccording to claim 10, wherein said secret key associated with the B-TIDis a derived secret key which is derived, in connection with theinquiring NAF, from a root secret key associated with the B-TID.
 12. Themethod according to claim 4, further comprising: after succeeding inperforming a bootstrapping authentication in the BSF, the UE receiving anew B-TID assigned by the BSF, and generating a secret key, Ks′,associated with the new B-TID; upon receiving an application requestmessage containing the new B-TID and the old B-TID from the UE, the NAFconducting inquiry in the BSF; upon receiving a response message ofsuccess from the BSF, the NAF storing the new B-TID of the UE and thesecret key associated with the new B-TID, and deleting or disabling theold B-TID previously stored in the NAF and the secret key associatedwith the old B-TID.
 13. The method according to claim 12, wherein saidsecret key associated with the B-TID is a derived secret key which isderived, in connection with the inquiring NAF, from a root secret keyassociated with the B-TID.
 14. The method according to claim 5, furthercomprising: after succeeding in performing a bootstrappingauthentication in the BSF, the UE receiving a new B-TID assigned by theBSF, and generating a secret key, Ks′, associated with the new B-TID;upon receiving an application request message containing the new B-TIDand the old B-TID from the UE, the NAF conducting inquiry in the BSF;upon receiving a response message of success from the BSF, the NAFstoring the new B-TID of the UE and the secret key associated with thenew B-TID, and deleting or disabling the old B-TID previously stored inthe NAF and the secret key associated with the old B-TID.
 15. The methodaccording to claim 14, wherein said secret key associated with the B-TIDis a derived secret key which is derived, in connection with theinquiring NAF, from a root secret key associated with the B-TID.
 16. Themethod according to claim 2, wherein said term of validity is determinedby the BSF based on a security level of the inquiring NAF and profileinformation of the UE.
 17. The method according to claim 3, wherein saidterm of validity is determined by the BSF based on a security level ofthe inquiring NAF and profile information of the UE.
 18. The methodaccording to claim 4, wherein said term of validity is determined by theBSF based on the identity or name of the NAF and on profile informationof the UE.
 19. The method according to claim 5, wherein said term ofvalidity is determined by the BSF based on the identity or name of theNAF and on profile information of the UE.
 20. The method according toclaim 1, further comprising: the NAF or the BSF performing billingoperations according to the term of validity of the B-TID.
 21. Themethod according to claim 1, wherein said term of validity is a lifetimeor valid times of use.
 22. A method for verifying the validity of auser, applied to the third generation radio communications in which anetwork application function (NAF) verifying the validity of a user bymeans of a generic authentication architecture, the method comprising:upon receiving an application request message containing a bootstrappingtransaction identifier (B-TID) from a user equipment (UE), the NAFchecking whether there is a B-TID information in the NAF, if finding theB-TID information, the NAF determining whether the B-TID expires basedon a preset term of validity for the B-TID, if the B-TID expires, theNAF making normal communications with the UE; if the B-TID dose notexpire, the NAF instructing the UE to perform a bootstrappingauthentication in a bootstrapping server function (BSF).
 23. The methodaccording to claim 22, further comprising before the NAF checkingwhether there is the B-TID information: a secret key shared by the UEand the BSF, Ks, being generated after passing a mutual authenticationbetween the UE and the BSF, the BSF assigning the UE a B-TID includingonly a B-TID identity, which is valid for one or more NAFs at the sametime and associated with the secret key; upon receiving the B-TIDassigned by the BSF, the UE sending to the NAF the service applicationrequest message containing the B-TID, and the NAF checking whether thereis the B-TID information in the NAF.
 24. The method according to claim22, further comprising before the NAF checking whether there is theB-TID information: a secret key shared between the UE and the BSF, Ks,being generated during a mutual authentication between the UE and theBSF; the BSF assigning the UE a B-TID including only a B-TID identity,which is valid only for the NAF and associated with the secret key, andsending the assigned B-TID to the UE; upon receiving an applicationrequest message containing the B-TID from the UE, the NAF determiningwhether the B-TID is valid for the NAF, if valid, the NAF checkingwhether there is the B-TID information in the NAF; otherwise, the NAFprompting the UE with an error message.
 25. The method according toclaim 22, further comprising before the NAF checking whether there isthe B-TID information: setting a secret key shared between the BSF andthe NAF, Knb; secret key shared between the UE and the BSF, Ks, beinggenerated during a mutual authentication between the UE and the BSF; theBSF assigning the UE an identity valid only for the NAF as well as theterm of validity for using the identity, enciphering the assignedidentity and the term of validity thereof using the Knb, taking theenciphered identity as a B-TID associated with the secret key, andsending the B-TID to the UE; upon receiving the B-TID assigned by theBSF, the UE sending to the NAF an application request message containingthe B-TID, and the NAF checking whether there is the B-TID informationin the NAF; further comprising before the NAF determining whether theB-TID expires: the NAF deciphering the received B-TID using the Knb. 26.The method according to claim 22, further comprising before the NAFchecking whether there is the B-TID information: a secret key sharedbetween the UE and the BSF, Ks, being generated from a mutualauthentication between the UE and the BSF; the BSF assigning the UE aB-TID including only the identity valid for the NAF and assigning a termof validity for the B-TID, wherein the B-TID is associated with thesecret key, storing the assigned B-TID and the term of validity thereof,and sending the assigned B-TID to the UE; upon receiving an applicationrequest message containing the B-TID from the UE, the NAF determiningwhether the B-TID is valid for the NAF, if valid, the NAF checkingwhether there is the B-TID information in the NAF; otherwise, promptingthe UE with an error message.